Skip to main content

Privacy Policy

Effective: · Last updated:

This Privacy Policy describes how Xor Arcade (“we”, “our”, “us”), operated by Jiexiong Zhou, collects, uses, and protects information when you visit xorarcade.com, play our games in the browser, or use our mobile apps published on the Apple App Store and Google Play. It also covers browser games hosted on subdomains we operate (for example, haydoku.xorarcade.com). You can contact the data controller at the email listed in the Contact Us section.

This is a unified policy: a single document covers the marketing site, the embedded web games, and the mobile apps. Where a mobile platform or a specific game introduces additional data flows, we describe them in the relevant section below.

Information We Collect

We do not require an account to browse xorarcade.com or to play our web games. We do not run advertising networks on the marketing site itself.

We collect aggregate, anonymous usage statistics through Cloudflare Web Analytics on xorarcade.com (described below). No personal identifiers, IP addresses, or cross-site tracking cookies are stored on your device by us when you browse the marketing site.

Our mobile apps and web games may collect additional device-level information as described in the Web Games and Mobile Apps sections.

Cloudflare Web Analytics (Marketing Site)

We use Cloudflare Web Analytics, a privacy-first analytics service provided by Cloudflare, Inc. It does not use cookies, does not fingerprint visitors, and does not store personal information. The service collects only:

  • The page you visited and the previous referring page
  • Approximate country of origin (derived at the network level, not stored alongside identifiers)
  • Browser type and screen size category
  • Page-load performance metrics

For more detail, see Cloudflare’s documentation on Web Analytics.

Web Games

Our browser games run in <iframe> embeds loaded from subdomains we operate (for example, haydoku.xorarcade.com). Each game may:

  • Store gameplay progress (current level, settings, daily streak) in your browser’s localStorage — this never leaves your device unless you explicitly enable a cloud-sync feature
  • Load minimal analytics consistent with the policies described above
  • Serve in-game artwork, audio, and gameplay logic from the game’s subdomain

Each game’s specific data behavior, where it differs from this baseline, is described inside the game’s in-game settings menu.

Mobile Apps

When you install and use our mobile apps from the Apple App Store or Google Play, additional data flows apply.

Device Identifiers

Mobile platforms provide each app with a device identifier (Apple’s IDFA on iOS, Google’s Advertising ID on Android, or a non-resettable Vendor ID). We may use these identifiers to:

  • Distinguish one device from another for crash analytics and gameplay statistics
  • Attribute paid acquisition (when applicable) so we know which advertising channels work

You can reset or limit these identifiers at any time in your device settings (iOS: Settings → Privacy & Security → Tracking; Android: Settings → Privacy → Ads).

In-App Purchases

If a game offers in-app purchases, all transactions are processed by Apple (App Store) or Google (Google Play). We use RevenueCat, a third-party purchase infrastructure provider, to verify receipts and reconcile your purchases. RevenueCat receives:

  • The platform’s purchase receipt (for server-side verification)
  • The product purchased and price tier
  • A random anonymous identifier that RevenueCat generates internally on first launch — this identifier is not linked to your real name, email, the Cloud Save account identifier described above, or any other user data we hold

RevenueCat does not receive your real name, email, or payment instrument detail. See RevenueCat’s privacy policy for their own processing details.

We do not receive your credit card number, billing address, or any other payment instrument detail.

Push Notifications

If a game requests permission to send push notifications, you can grant or deny it at install or at any time later in your device settings. Notifications are used only for game-related events (daily challenge reminders, new content). We never share your push token with third parties.

Game Center (iOS) / Google Play Games Services (Android)

Some games may integrate with Apple Game Center or Google Play Games Services for features such as leaderboards, achievements, or saved-game cloud sync. These services are operated by Apple and Google respectively. When you sign in, the platform shares your nickname (not your real name or email) with the game. Game Center and Play Games are governed by Apple’s and Google’s own privacy policies.

Cloud Save and Cross-Device Sync (Where Offered)

A game may offer optional cloud save so your progress, settings, and unlock state survive device changes. When you enable this feature in a game’s settings:

  • You sign in with Sign in with Apple or Sign in with Google
  • The platform issues us an opaque account identifier (the OAuth/OIDC “subject” claim, commonly called sub) — a stable, pseudonymous string that lets us recognize “this is the same player” across your devices
  • We store only that identifier alongside your encrypted gameplay progress on our cloud-save backend
  • We do not receive your email address, your real name, your Apple ID, or your Google account sign-in credentials

You can delete the identifier and all cloud-saved progress we hold at any time via Settings → Cloud Save → Delete Account inside the game (in-app delete flow per Apple App Store Review Guideline 5.1.1(v)). After deletion you can keep playing locally; re-enabling cloud save starts a fresh profile.

Crash Reporting

Mobile apps may report unexpected crashes to a crash analytics provider (such as Apple’s TestFlight feedback, Google Play Console crash reports, or a third-party tool, where applicable, described in the app’s app store listing). Crash reports include the call stack and device model — they do not include your game progress, names, or any free-text input.

Advertising (Where Applicable)

If a specific mobile app uses third-party ad networks (such as Google AdMob), the app’s app store listing will disclose this. When ads are shown:

  • The ad SDK may use device identifiers to deliver more relevant ads
  • You can opt out of ad personalization in your device settings (iOS: Settings → Privacy & Security → Apple Advertising / Tracking; Android: Settings → Privacy → Ads → Opt out of Ads Personalization)
  • For EU / EEA / UK users, the app will request consent through a Google-compliant Consent Management Platform (CMP) before any ad personalization or non-essential tracking takes place
  • Watching a rewarded ad in exchange for in-game currency is always optional — refusing has no effect on your ability to play the core game

We do not maintain our own advertising profiles or sell user data to ad brokers.

App Tracking Transparency (iOS)

On iOS, the first time a game attempts to show a rewarded advertisement, the operating system displays a standard App Tracking Transparency prompt asking whether you allow the app to track your activity across other companies’ apps and websites:

  • If you allow tracking, the ad SDK may use your IDFA to serve personalized rewarded ads
  • If you ask the app not to track, the SDK falls back to non-personalized contextual ads — these still support the game financially but may be less relevant to you
  • You can change this choice at any time in Settings → Privacy & Security → Tracking

Either way, your ability to play the core game is unaffected — declining tracking does not lock content, lives, or features.

Cookies

xorarcade.com does not set any cookies. Embedded web games may use first-party localStorage to save your progress (this is not a cookie). If a future feature requires cookies, we will update this policy and present a clear notice before any cookie is written.

Third-Party Resources

The marketing site does not embed third-party scripts beyond Cloudflare’s analytics beacon. Embedded web games are loaded from subdomains we operate; each game may load its own assets, fonts, or analytics consistent with this policy.

External links — for example, to the App Store, Google Play, or a Game Center leaderboard — take you to third-party properties whose privacy practices we do not control.

Children’s Privacy (COPPA)

Xor Arcade games are designed as general-audience entertainment. We do not knowingly collect personal information from children under 13. Our mobile apps do not request name, age, location, photo, or any other personally identifying input from any user, including children. If you believe a child has provided us with personal information, please contact us so that we can investigate and delete it.

For apps rated for children in app store age-rating systems, we comply with the platform’s children-policy requirements, including not serving personalized advertising to users in this segment.

California Residents (CCPA / CPRA)

Categories of Personal Information Collected (12-Month Look-Back)

In the past twelve months, we have collected the following categories of personal information, as defined under California Civil Code §1798.140:

  • Identifiers — device identifiers (IDFA, Advertising ID, Vendor ID) for mobile apps; no identifiers stored by the marketing site
  • Internet or other electronic network activity — pages visited, browser type, screen size category (aggregate, via Cloudflare Web Analytics)
  • Geolocation data — approximate country of origin (derived at the network level; no precise geolocation)
  • Inferences — none (we do not build user profiles)

We have not sold or shared any of the above with third parties for monetary or other valuable consideration.

Sensitive Personal Information

We do not collect sensitive personal information as defined under California Civil Code §1798.140(ae) (such as government IDs, precise geolocation, racial origin, religion, biometric data, or health information).

Your Rights

California residents have the following rights under CCPA / CPRA:

  • Right to know what personal information we have collected, used, disclosed, or sold/shared about you
  • Right to access the specific pieces of personal information we hold
  • Right to delete personal information we hold about you
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit the use and disclosure of sensitive personal information (not applicable here, since we do not collect SPI)
  • Right to non-discrimination for exercising these rights

Do Not Sell or Share My Personal Information

Xor Arcade does not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA. Accordingly, we do not provide a separate “Do Not Sell or Share My Personal Information” link, as none is required under our practices.

Exercising Your Rights

To exercise any of the above rights, contact us at the email listed in the Contact Us section. Where the law requires verification of identity, we will ask you to confirm reasonable identifying details (such as the email address or device identifier associated with your request) before processing.

California residents may also designate an authorized agent to submit requests on their behalf, subject to verification of the agent’s authority.

European Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation, including the right to access, correct, or erase any personal data we may hold about you; the right to restrict or object to processing; the right to data portability; and the right to lodge a complaint with your local data protection authority.

The lawful basis for our limited analytics processing on xorarcade.com is our legitimate interest in understanding aggregate site usage to improve the website. No personal data is processed for profiling. A formal legitimate interest assessment is available on request.

For mobile apps, the lawful basis depends on the data type:

  • Strictly necessary processing (e.g., delivering the game itself) — performance of the contract you formed when downloading the app
  • Optional features (cloud save, ad personalization, push notifications) — your explicit consent, which you can withdraw at any time in device or in-app settings

To exercise these rights, contact us at the email below.

Data Retention

We do not maintain user accounts, so most of the data described in this policy is stored locally on your device or in your Apple / Google account, and is deleted when you uninstall the app or revoke cloud save permission.

For data we do process:

  • Cloudflare Web Analytics aggregate data — retained per Cloudflare’s published retention policy (currently up to six months for the rolling analytics window)
  • Email correspondence — retained for up to 24 months after the last exchange, then deleted, unless a longer period is required to comply with legal obligations
  • Crash reports (mobile apps) — retained per Apple’s or Google’s developer console policies (typically 30-90 days)
  • In-app purchase receipts — retained for the duration required by tax and bookkeeping law in our jurisdiction

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Article 22).

International Transfers

Several of our service providers process data outside the European Economic Area / United Kingdom:

  • Cloudflare (Web Analytics, hosting) — processes traffic at globally distributed edges, including the United States
  • Apple Inc. (App Store, Game Center, push notifications) — United States
  • Google LLC (Google Play, Play Games Services, AdMob where applicable) — United States
  • Email service provider for support@xorarcade.com — may operate outside your country of residence

Where personal data is transferred outside the EEA / UK, we rely on adequacy decisions issued by the European Commission and the UK government where available, and on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as the legal mechanism for transfers to countries without an adequacy decision. Each of the providers above publishes its own supplementary safeguards on its trust or privacy center.

Contact Us

Questions about this policy can be sent to support@xorarcade.com. We aim to respond within seven days.

Changes to This Policy

We may update this policy from time to time. The “Effective” date at the top of this page is the date of original publication; the “Last updated” date reflects the current revision. Material changes will be highlighted at the top of the page for at least thirty days after they take effect.